No organization can go it alone when confronting evolving cyberthreats, according to experts who presented at the Medical Device Innovation, Safety and Security Consortium’s fall conference, held last week in Arlington, VA. For conference participants, information sharing is key to protecting medical devices—and patients—from potential attacks by a variety of actors.

Private companies such as Target aren’t asked to deploy surface-to-air missiles to protect themselves from a potential attack by Russia, said Jamil Jaffer, director of the National Security Institute at George Mason University. Yet, individual hospitals “are expected to defend themselves” from state-sponsored cyberattacks―a threat that is “very real,” according to Jaffer.

Instead of relying on healthcare delivery organizations (HDOs), medical device manufacturers, or health technology developers to address cyberthreats on their own, the Food and Drug Administration (FDA) has advocated for a “whole of community” approach to cybersecurity, according to Suzanne Schwartz, FDA’s associate director for science and strategic partnerships.

“No sole entity is capable of being able to address this complex issue alone,” Schwartz said during her presentation.

A major part of building this community relies on sharing information, according to Evan Wolff, partner at Crowell & Moring LLP in Washington, DC, where he co-chairs the firm's Privacy and Cybersecurity Group.

“Information sharing provides for a common defense,” he said. But in order to be effective, the organizations sharing the information need to have:

Common technology.

Common threats or threat actors, as sharing information about nation-state threats is not helpful if many in the community are under attack by cybercriminals.

Compared to the defense or energy sectors, information sharing in healthcare is still in its infancy.

“I think that we don’t share enough,” said Hai Ngo, chief information security officer at New York University Langone Medical Center. “We want to share. We want a safe place to share.”

The FDA has partnered with communities such as the National Health Information Sharing and Analysis Center (NH-ISAC) to create an environment that “fosters stakeholder collaboration and communication, and encourages the sharing of information about cybersecurity threats and vulnerabilities that may affect the safety, effectiveness, integrity, and security of the medical devices and the surrounding health IT infrastructure,” according to its postmarket cybersecurity guidance.

“We want to encourage the importance of information sharing and disclosures of information and get to that point where—maybe not in a year from now but maybe in two or three years from now—that will be just routine practice across all of the medical device ecosystem, and it won’t be seen as unusual for vulnerabilities to be identified,” Schwartz said.

Despite this encouragement to participate in a community such as NH-ISAC, there are a number of real and perceived barriers to information sharing in the healthcare sector.

“Unfortunately, sometimes the champions out there―the ones who are willing to put themselves out on a limb―are the ones that from a public perception may seem to be penalized by the press and the media for what it is that they are doing,” Schwartz said of medical device manufacturers who are leading the way in information sharing and coordinated disclosures of vulnerabilities.

For HDOs, a major concern is the potential for violating the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule.

“As one of the original drafters of the HIPAA privacy rules—the HIPAA privacy rules are not designed to block the appropriate sharing of information for important public health reasons, [including] patient safety,” said Jodi Daniel, a partner at Crowell & Moring LLP who spent 15 years at the U.S. Department of Health and Human Services. “In addition, there are provisions that basically say that the rules don’t apply when information is de-identified. So, if you are simply sharing security threat or incident information without personally identifiable information, then in fact it might not even be subject to the HIPAA rules.”